HMAC generation explained with practical examples
What is HMAC?
HMAC (hash-based message authentication code) combines a cryptographic hash function with a secret key to verify both the integrity and authenticity of a message. Unlike plain hashing, HMAC requires the secret key to recreate the same hash.
How HMAC works
The HMAC algorithm takes three inputs: a message, a secret key, and a hash function. It processes them through a specific construction:
HMAC(key, message) = H((key \u00d5 opad) \u2225 H((key \u00d5 ipad) \u2225 message))Where ipad and opad are fixed padding values, and \u2225 means concatenation. This double-hashing prevents length extension attacks that affect plain hash functions.
Common use cases
API authentication — AWS, Stripe, and many APIs use HMAC for request signing
Webhook verification — Verify that incoming webhooks are genuinely from the provider
JWT signing — HMAC-SHA256 is a common choice for symmetric JWT signatures
Message integrity — Ensure messages have not been tampered with in transit
Choosing a hash function
| Algorithm | Output length | Security level |
|---|---|---|
| HMAC-MD5 | 128 bits | Broken, do not use |
| HMAC-SHA1 | 160 bits | Deprecated |
| HMAC-SHA256 | 256 bits | Recommended |
| HMAC-SHA512 | 512 bits | High security |
Generate HMAC online
The HMAC generator supports multiple hash algorithms and output formats (hex, Base64, binary). Try it with your own messages and keys.